FTP and PPTP in diferent servers behind NAT

Discussion in 'Cisco' started by Josep M Homs, Aug 3, 2006.

  1. Josep M Homs

    Josep M Homs Guest

    Hi,

    i'm trying to setup an 827 (12.2(8)) router with the following scenario
    :
    -all the PPTP related traffic in the inside global interface must be
    sent to the VPN server in the server1 in the inside local lan.
    -all the FTP (and others like www,mail...) related traffic in the
    inside global interface must be sent to the DMZ server in the server2
    in the inside local lan.

    The only way i found to map gre protocol to the internal server is
    assign all the traffic to it, with an entry like (TCP 1723 is no
    problem with an static entry) :

    ip nat inside source static server1ip globalip

    So anyone knows if is possible to send ONLY the gre traffic to a
    determinate host ?

    I ask that because the normal behaviour would be that the "default
    server" was the server2 (because it offers all the services but VPN).
    Additionally, i have not found a way to specify a port range in the ip
    nat , so passive ftp connections are not working correctly (write
    manually or automagically 64000 rules one per port is not an option,
    neither modify the port range in the ftp server).

    So, if no way to redirect only gre, is it possible to redirect non
    privileged ports (>1023) to server1 avoiding to write lots of lines
    like :

    ip nat inside source static tcp server2ip 1024 interface ATM0.1 1024

    I know that in acl is possible to do a gt 1023, but how to apply to ip
    nat ... !


    In the actual situation, if i do :

    ip nat inside source static server1ip globalip
    the VPN works correctly but passive FTP does not

    and if i do

    ip nat inside source static server2ip globalip
    the passive FTP works correctly but ovbiously PPTP does not

    so any hint ?

    Thanks in advance ..
    Josep M Homs, Aug 3, 2006
    #1
    1. Advertising

  2. Josep M Homs

    Merv Guest

    Merv, Aug 5, 2006
    #2
    1. Advertising

  3. Josep M Homs

    Josep M Homs Guest

    so, that means that from 12.1(4)T, gre is implicitly redirected to the
    same host when 1723 TCP is ...

    I'm going to try ...

    Thank you very much !!
    Josep M Homs, Aug 6, 2006
    #3
  4. Josep M Homs

    Merv Guest

    Josep M Homs wrote:
    > so, that means that from 12.1(4)T, gre is implicitly redirected to the
    > same host when 1723 TCP is ...
    >
    > I'm going to try ...



    I think what it means is that Cisco is creating a separate NAT
    translation entry ( actuall PAT entry) for each GRE session. I assume
    they are using the GRE PPTP peer call id to identify the session ; wild
    guess on my part.

    I am not sure which end initiated the opening of the GRE tunnel so you
    may need to ensure that you inbound access list allows GRE.
    Merv, Aug 6, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Eugene Vekua
    Replies:
    1
    Views:
    600
    Martin Bilgrav
    Mar 2, 2004
  2. Corbin O'Reilly
    Replies:
    2
    Views:
    3,129
    Corbin O'Reilly
    May 26, 2004
  3. BUZZ
    Replies:
    1
    Views:
    505
    Walter Roberson
    Apr 18, 2006
  4. BigBen
    Replies:
    8
    Views:
    529
    BigBen
    Mar 13, 2006
  5. Hej!

    ios on diferent platform

    Hej!, Feb 8, 2007, in forum: Cisco
    Replies:
    4
    Views:
    359
    DraKoN!
    Feb 12, 2007
Loading...

Share This Page